RF760/660/600VPN Internet Security Appliance User Guide
User Guide RouteFinder RF760/660/600VPN S000323D Revision D This publication may not be reproduced, in whole or in part, without prior expressed written permission from Multi-Tech Systems, Inc. All rights reserved. Copyright © 2005 by Multi-Tech Systems, Inc. Multi-Tech Systems, Inc. makes no representations or warranty with respect to the contents hereof and specifically disclaims any implied warranties of merchantability or fitness for any particular purpose. Furthermore, Multi-Tech Systems, Inc.
Table of Contents Contents Chapter 1 – Product Description, Features, and Overview............................................................................... 7 Product Description ........................................................................................................................................................... 7 Features ................................................................................................................................................................
Table of Contents Chapter 6 – RouteFinder Software .................................................................................................................... 42 Menu Bar ......................................................................................................................................................................... 42 Administration ...............................................................................................................................................
Table of Contents Packet Filters ................................................................................................................................................................. 101 Packet Filters > Packet Filter Rules ......................................................................................................................101 Packet Filters > ICMP.....................................................................................................................................
Table of Contents X. Fragmented Dropped Log ......................................................................................................................................... 147 XI. ICMP Information ..................................................................................................................................................... 148 Appendix B – The RouteFinder Rescue Kernel..............................................................................................
Chapter 1 – Product Description, Features, and Overview Chapter 1 – Product Description, Features, and Overview Your Multi-Tech Systems, Inc. RouteFinder Internet security appliance is an integrated VPN gateway/firewall designed to maximize network security without compromising network performance.
Chapter 1 – Product Description, Features, and Overview Feature Highlights RouteFinder Applications. The RouteFinder combines Virtual Private Networking (VPN), firewall, e-mail anti-virus protection, and content filtering in one box. It is a cost-effective, easy to manage solution that is ideal for the small to medium business looking to add one or all of the following applications to their network: Remote User VPN.
Chapter 1 – Product Description, Features, and Overview E-mail Anti-Virus Protection. Computer viruses are one of the leading security threats to Internet-connected networks. Users can unknowingly download and launch dangerous viruses that can damage data or cause computer crashes. Viruses can also be used as delivery mechanisms for hacking tools, compromising the security of the network, even if a firewall is installed.
Chapter 1 – Product Description, Features, and Overview License Keys System License Key Each RouteFinder VPN ships with a unique individual system License Key, a 20-digit alphanumeric number. You can enter and view License Key information from the RouteFinder's Web Management software at Administration > License Key > Open System License Key. This screen shows the entered License Key number and indicates whether it is a valid License Key number.
Chapter 1 – Product Description, Features, and Overview Safety Warnings Lithium Battery Caution Danger of explosion if battery is incorrectly replaced. A lithium battery on the RouteFinder VPN PC board provides backup power for the time-keeping capability. The battery has an estimated life expectancy of ten years. When it starts to weaken, the date and time may be incorrect. If the battery fails, send the board back to Multi-Tech for battery replacement.
Chapter 1 – Product Description, Features, and Overview RouteFinder Front Panels RF760/660VPN Front Panel The R760VPN and the RF660VPN have 16 LEDs that show device and network operating status. For the RF760VPN, these LEDs are labeled 10/100/1G. • When 10, the LED is Off. • When 100, the LED is Green. • When 1G, the LED is Orange. RF760 / 660VPN LED Descriptions LAN LEDs Description LINK LAN LINK LED - Indicates link integrity for the LAN Ethernet port.
Chapter 1 – Product Description, Features, and Overview RF600VPN The RF600VPN has 12 front panel LEDs that show the network operating status. General LED Descriptions POWER STATUS HDD ACT POWER LED - Off when the RF600VPN is in a reset state. When the POWER LED is lit, the RF600VPN is not in a reset state. STATUS LED - Off when the RF600VPN is booting up. HDD ACT (Hard Disk Drive Activity) LED - Lights when the RF600VPN hard disk drive is accessed.
Chapter 1 – Product Description, Features, and Overview RouteFinder Back Panels RF760VPN Back Panel The RF760VPN back panel has three fans, a power plug, a POWER Switch (| / O), an RJ-11 LINE jack, a DB-9 COM1 jack, a DB-15 High-density DSUB (VIDEO) jack, a keyboard jack, an Ethernet 10/100/1000 DMZ Port, and an Ethernet 10/100/1000 WAN Port, and an Ethernet 10/100/1000 LAN Port.
Chapter 1 – Product Description, Features, and Overview Specifications Appliance Features RF760VPN RF660VPN RF600VPN 3x10/100/1000BaseT (LAN,WAN, DMZ) Unlimited Both 3x10/100BaseT (LAN,WAN, DMZ) Unlimited Both 3x10/100BaseT (LAN,WAN, DMZ) Unlimited Both RF760VPN RF660VPN RF600VPN Yes Yes Yes 50M bps Security: IPSec, IKE, NAT, PPTP, HTTPS, SSH, SCP Authentication: Shared secret and built-in authentication server Network: TCP/IP, DNS Filtering: Protocol, port number, and IP address Proxies: HTTP, S
Chapter 1 – Product Description, Features, and Overview Power & Physical Description RF760VPN RF660VPN RF600VPN Power - Voltage & Frequency Power Consumption Physical Description 100-240v AC, 50-60 Hz 50 Watts Dimensions: 17" w × 1.75" h × 10.5" d; (43.18cm × 4.45cm × 26.67cm) Weight: 10 lbs. (4.54 kg) Temperature Range: 32° to 120° F (0-50°C) Humidity: 25-85% noncondensing FCC Part 68 FCC Part 15 (Class A) CE Mark UL60950 ICSA Firewall Certified 100-240v AC, 50-60 Hz 30 Watts Dimensions: 17" w × 1.
Chapter 1 – Product Description, Features, and Overview Overview of RouteFinder VPN Technology Before we look at how the RouteFinder works and how to use it, we will illustrate why the RouteFinder is necessary for the protection of networks, as well as show which problems and risks exist without an appropriate security system. Networks The systems in the global network communicate via the Internet Protocol Family (IP), including TCP, UDP, or ICMP. The IP addresses are the basis of this communication.
Chapter 1 – Product Description, Features, and Overview The great advantage of a network layer firewall is its independence of both the operating system and the applications running on the machine. In more complex network layer firewall implementations, the packet filtering process includes the interpretation of the packet payload. The status of every current connection is analyzed and recorded. This process is called stateful inspection.
Chapter 1 – Product Description, Features, and Overview To satisfy today’s business world needs, the IT infrastructure must offer real-time communication and co-operate closely with business partners, consultants, and branches.
Chapter 1 – Product Description, Features, and Overview Typical Applications Remote User VPN The client-to-LAN VPN application replaces traditional dial-in remote access by allowing a remote user to connect to the corporate LAN through a secure tunnel over the Internet. The advantage is that a remote user can make a local call to an Internet Service Provider, without sacrificing the company’s security, as opposed to a long distance call to the corporate remote access server.
Chapter 2 – Installation Chapter 2 – Installation Pre-Installation Planning Planning and Establishing the Corporate Security Policy Having an organization-wide security policy is the first, and perhaps most, important step in general security planning.
Chapter 2 – Installation Planning the Network Before installing, you should plan your network and decide which computer is to have access to which services. This simplifies configuration and saves you a lot of time that you would otherwise need for corrections and adjustments. Establishing an Address Table Enter the configuration information (e.g., the IP addresses used, Net Mask addresses, and the Default Gateway) into the appropriate field of the Address Table below.
Chapter 2 – Installation Installation Overview RouteFinder VPN installation is divided into four steps: 1. Hardware installation 2. Cabling 3. Software initial configuration 4. RouteFinder configuration Hardware Installation Procedure The RouteFinder VPN is designed to install either on a desktop or in a standard EIA 19" rack and is shipped with the mounting hardware to install the RouteFinder VPN in the standard EIA 19" rack.
Chapter 2 – Installation Setting up a Workstation and Starting the RouteFinder VPN This section of the Quick Start Guide covers the steps for setting up a workstation that is connected to the RouteFinder VPN, starting up the RouteFinder VPN, opening the RouteFinder VPN Web Management program, performing the time zone setup, and using the Menu bar to navigate through the Web Management software screens. Connections 1. 2. 3. 4. Connect a workstation to the RouteFinder's LAN port via Ethernet.
Chapter 2 – Installation Login 8. The Login screen is displayed. • Type the default User name: admin (all lower-case). • Tab to the Password field and type the default password: admin (all lower-case). • Click the Login button. Note: The User name and Password entries are case-sensitive (both must be typed in lower-case). The password can be up to 12 characters. Later, you will want to change the password from the default (admin) to something else.
Chapter 2 – Installation Navigating Through the Screens Before using the software, you may find the following information about navigating the screens and the structuring of the menus helpful.
Chapter 2 – Installation Sub-Menu Each item on the Menu Bar has its own sub-menu which displays on the left side of the screen. When you click one of the Menu Bar buttons, the screen that displays is the first sub-menu option. You can choose other sub-menu screens by clicking the screen name in the sub-menu. This is an example of the Administration sub-menu. It displays when Administration is clicked on the Menu Bar.
Chapter 3 – Configuration Chapter 3 – Configuration Initial Configuration Step Set Up Your Time Zone Click Administration on the menu bar. The System Setup screen displays. Set the following: • Set System Time by selecting your Time Zone • Set the current Day, Month, Year, Hour, and Minute Administration System Setup System Time Multi-Tech Systems, Inc.
Chapter 3 – Configuration Second Configuration Step Using the Wizard Setup is a quick way to enter the basic configuration parameters to allow communication between the LAN’s workstation(s) and the Internet as shown in the example below. Important Note: An initial configuration must be completed for each type of RouteFinder functions: firewall configuration, LAN-to-LAN configuration, a LAN-to-Remote Client configuration.
Chapter 3 – Configuration The Wizard Setup Screen Click on the Wizard Setup button. The following screen displays. 1. Enter your Administrator Email Address (can be anything). Example: admin@yourdomain.com 2. Enter your Hostname for the RouteFinder (can be anything). Example: routefinder.domainname.com 3. LAN IP Address and Subnet Mask default into the fields. This should be acceptable for your site. Enter the WAN IP Address. This is the PUBLIC STATIC IP address.
Chapter 4 – Configuration Examples Chapter 4 – Configuration Examples Example 1 – LAN-to-LAN VPN (Branch Office) The setup for a LAN-to-LAN VPN (branch office) requires two RF660VPNs - one in the home office and one in the remote branch office. It requires additional parameters beyond the Wizard Setup to be entered; these are listed in the table below. For the RouteFinder VPN in remote branch office follow the same procedures as the home office procedures; just use different IP addresses.
Chapter 4 – Configuration Examples Setup Networks & Services Site A Configuration on the RouteFinder VPN in the Home Office To configure your RouteFinder VPN in the home office in preparation for connection to a remote branch office, click the Networks & Services button on the Menu bar, and then select Networks. Set the following: 1. Add a network for the remote LAN port (private LAN on eth0 at the branch office). Enter the following: • Name = RemoteLAN • IP address = 192.168.10.0 • Subnet mask = 255.255.
Chapter 4 – Configuration Examples Set Packet Filters Site A Configuration: RouteFinder VPN in the Home Office Establish remote access filtering: click on Packet Filters > Packet Filter Rules. 1.
Chapter 4 – Configuration Examples Set VPN IPSec Protocol Site A Configuration: RouteFinder VPN in the Home Office Establish an IPSec Protocol for your remote branch office access: click on VPN > IPSec. 1. Check the VPN Status box, and then click Save. 2. Click the Add button for Add IKE Connection. The VPN IPSec > IKE screen displays. Multi-Tech Systems, Inc.
Chapter 4 – Configuration Examples 3. Enter the following information in order to establish an IPSec IKE connection. • Enter a Connection name. (Example: SiteA) • Place a checkmark in the box to enable Perfect Forward Secrecy. • Select Secret for the Authentication Method. • Enter a shared Secret string using alphanumeric characters. (Example: 1o2t3t4f) • Select 3DES for Select Encryption. • Accept the defaults for IKE Life Time and Key Life.
Chapter 4 – Configuration Examples Example 2 – Remote Client-to-LAN VPN Configuration The VPN function to setup your RouteFinder so that your network allows a remote client to have access to the LAN through a secure tunnel on the Internet. Your RouteFinder includes an easy-to-use IPSec VPN client connection that transparently secures your Internet communications anytime, anywhere. This example shows the setup to allow a remote client to see a LAN, where the remote client is using SSH Sentinel.
Chapter 4 – Configuration Examples Example 3 – Remote Client-to-LAN Configuration Using DNAT and Aliasing Use this procedure to configure the RF660VPN with DNAT and Aliasing. This configuration allows a Windows 2000 Remote Client to Telnet through the RF660VPN to several Windows 2000 Systems located on the LAN. Multi-Tech Systems, Inc.
Chapter 4 – Configuration Examples Example 4 – Client-to-LAN Configuration Using PPTP Tunneling Use this procedure to configure the RF660VPN as a PPTP server for VPN Remote Client Access (aka, PPTP Roadwarrior configuration). (Note: IPX and Netbeui not supported when using PPTP tunneling.) Multi-Tech Systems, Inc.
Chapter 5 – URL Categorization Chapter 5 – URL Categorization The Universal Resource Locator (URL) Categorization License Key allows you to set up a URL database that limits clients’ access to places on the Internet by blocking sites you do not want accessed. In other words, you can deny users access to various categories of Web sites you select. Important Settings • • Client access to the Internet works in conjunction with the HTTP proxy running in transparent mode.
Chapter 5 – URL Categorization • Go to the Administration > License Key screen to enter your URL License Key. This is a required in order to use this feature. • Click the Open button across from URL Categorization License Key. The Administration > License Key > URL Categorization screen displays: • Using upper case letters, enter the 11-digit serial number of the URL License Key and click the Save button. IMPORTANT: It is important that the serial number be entered in upper case.
Chapter 5 – URL Categorization • The URL Categories screen displays. You can use this screen to allow or block Web sites from users. • Use the Allow and Filter buttons to move a URL Category from the URL Categories Allowed list to the URL Categories Filtered or from Filtered to Allowed. • When you have established your filtered and allowed categories, click the Backup button to create a backup of your URL category database files.
Chapter 6 – RouteFinder Software Chapter 6 – RouteFinder Software This chapter describes each screen and its function in the RouteFinder VPN software. The aim of the administrator in setting the options in the software should be to let as little as possible and as much as necessary through the RouteFinder VPN, for both incoming as well as outgoing connections. Note: If you have not done so already, plan your network and decide which computers are to have access to which services.
Chapter 6 – RouteFinder Software Administration > System Setup Administration Administration > System Setup In the Administration part of the software, you can set the RouteFinder general system-based parameters. System Setup includes general system parameters such as the Administrator's email address, SNMP Agent, System Logging, Remote Syslog Host, and the System Time. Email Notification Email Address: Enter the Email Address of the administrator who will receive the email notifications. Click Save.
Chapter 6 – RouteFinder Software Administration > System Setup Configure Email Notifications the RouteFinder VPN Will Send Select the types of notifications that you want sent. Click the Add button. The name will then appear in the Send Email Notification For box. You can remove a type by clicking the Delete button. The name will than move back to the Don't Send Email Notification For box. 1. Export Backup (the backup file will be attached) 2.
Chapter 6 – RouteFinder Software Administration > SSH Administration > SSH What Is SSH SSH (Secure Shell) is a program to log into another computer over a network to execute commands in a remote machine and to move files from one machine to another. It provides strong authentication and secure communications over an insecure network. It is intended as a replacement for rlogin, rsh, and rcp. The SSH configuration provides access to the firewall using SSH channel.
Chapter 6 – RouteFinder Software Administration > SNTP Client Administration > SNTP Client SNTP (Simple Network Time Protocol) is an internet protocol used to synchronize the clocks of computers on the network. Clicking the SNTP Client check box enables the firewall to act as a SNTP client. SNTP Client Check the SNTP Client box to activate SNTP Client. SNTP Server Address Enter the IP address of the SNTP Server for which the firewall will contact to synchronize its clock. Then click the Save button.
Chapter 6 – RouteFinder Software Administration > Administrative Access Administration > Administrative Access The networks and hosts that are allowed to have administrative access are selected on this screen. This is a good way to regulate access to the configuration tools. Administrative Access - Available Networks and Allowed Network Select the networks/hosts that will be allowed administrative access.
Chapter 6 – RouteFinder Software Administration > Administrative Access Change Password You should change the password immediately after initial installation and configuration, and also change it regularly thereafter. To change the password, enter the existing password in the Old Password field, enter the new password into the New Password field, and confirm your new password by re-entering it into the Confirmation entry field.
Chapter 6 – RouteFinder Software Administration > Site Certificate Administration > Site Certificate Public keys are used as the encryption algorithm for security systems. For the validity of public keys, certificates are issued by a Certificate Authority. The Certificate Authority certifies that the person or the entity is authenticated and that the present public key belongs to that same person or entity.
Chapter 6 – RouteFinder Software Administration > License Key Administration > License Key The system license key, virus scanner license key, and the URL Categorization engine license key can be configured from this screen. Notes: • • • Each RouteFinder ships with a unique individual system license key. It is a 20-digit code that is provided on the RouteFinder CD. Each RouteFinder ships with a URL Categorization License Key. It is provided on the RouteFinder CD.
Chapter 6 – RouteFinder Software Administration > Intruder Detection Administration > Intrusion Detection The Intrusion Detection mechanism notifies the administrator if there has been any tampering with the files on the server. Intrusion Detection Enable File Integrity Check – Check the box to enable File Integrity Checking. Time Interval – Select the amount of time you would like the system to conduct this check. Options are every 5 Minutes, Hourly, or Daily. Then click the Save button.
Chapter 6 – RouteFinder Software Administration > Tools Administration > Tools There are three tools that can help you test the network connections and RouteFinder functionality. Ping and Trace Route test the network connections on the IP level. TCP Connect tests TCP services for availability. Notes: 1. For these tools to function, the ICMP on firewall function in Packet Filter > ICMP must be enabled. 2. For the Name Resolution function, enable the DNS proxy function in Proxy > DNS.
Chapter 6 – RouteFinder Software Administration > Tools Trace Route Trace Route is a tool for finding errors in the network routing. It lists each router’s addresses on the way to remote systems. If the path for the data packets is temporarily unavailable, the interruption is indicated by asterisks (*). After a number of tries, the attempt is aborted. The interrupted connection can have many causes, including the packet filter on the RouteFinder not allowing the operation of Trace Route.
Chapter 6 – RouteFinder Software Administration > System Scheduler Administration > Factory Defaults Administration > System Scheduler The System Scheduler is a module built into the RouteFinder that schedules the tracking or checking of the following: • Tracking bounced emails on the SMTP Proxy • Tracking bounced RouteFinder emails • Tracking SMTP Report Logs • Checking disk usage of quarantined emails 1. 2. 3. Click Change Schedule Period for the Event Name that you would like to change.
Chapter 6 – RouteFinder Software Administration > User Authentication > Local Users Administration > User Authentication > Local Users In this part of the software enter local users and define their access to various proxies. External user databases can also be accessed (e.g., RADIUS servers, Windows NT servers, or Windows 2000 servers). User Authentication is useful if a user database already exists on such a server, in which case the user need not be created on the RouteFinder again.
Chapter 6 – RouteFinder Software Administration > User Authentication > RADIUS & SAM Administration > User Authentication > RADIUS & SAM RADIUS (Remote Authentication Dial-In User Service) is a protocol with which equipment such as an ISDN router can access information from a central server for user authentication. It also manages technical information needed for the communication of the router with the equipment of the caller.
Chapter 6 – RouteFinder Software Administration > User Authentication > RADIUS & SAM SAM Prerequisite In order to be able to use this authentication method, your network requires a Microsoft Windows NT or 2000 computer that contains the user information. This can be a Primary Domain Controller (PDC) or an independent server. This server has a NETBIOS name (the NT/2000 server name) and an IP address. 1. Under the Administration menu, open User Authentication > RADUIS & SAM.
Chapter 6 – RouteFinder Software Administration > Restart Administration > Shutdown Administration > Restart 1. Click the Restart button to shut down and restart the RouteFinder. The message Are you sure you want to restart the system? is displayed. 2. Click the OK button to confirm that you want to restart the RouteFinder WebAdmin software. The complete restart can take 4 to 5 minutes.
Chapter 6 – RouteFinder Software Networks & Services > Networks Networks & Services Networks & Services > Networks A network always consists of a Name, an IP address, and a Subnet Mask address. Once you add a network, the information displays at the bottom of the screen. This network table contains some generic networks by default, which cannot be deleted or edited. Important Notes: • LAN and WAN interfaces will change if changes are made to LAN/WAN IP addresses in Network Setup.
Chapter 6 – RouteFinder Software Networks & Services > Networks After clicking the Add button, the Networks you have setup display on the lower part of the screen. Example 1 – After the networks in the example are added, you will see the following entries added to the table on this screen: Name RemoteLAN RemoteWAN_IP IP Address 192.168.100 204.26.122.3 Subnet Mask 255.255.255.0 255.255.255.
Chapter 6 – RouteFinder Software Networks & Services > Services Networks & Services > Services On this screen you can set the RouteFinder protocol services. Protocols make ongoing administration easier and enable the configuration of user-defined services. These services are used in many of the other configuration settings on the system. A service protocol setting consists of a Name, the Protocol, the S-Port/Client (source port), and the D-Port/Server (destination port).
Chapter 6 – RouteFinder Software Networks & Services > Services Editing and Deleting User-Added Services There are options for editing or deleting the user added services. However, there are some standard services which cannot be edited or deleted. If the service is used by the Packet Filter rules, SNAT, or DNAT, it cannot be deleted. For editing any user-defined service, the Edit button has to be clicked to get the fields corresponding to the service entry.
Chapter 6 – RouteFinder Software Networks & Services > Network Groups Networks & Services > Network Groups On this screen you can combine various networks into groups. The networks added in the screen Network & Services > Networks can be placed into groups. Rules and Suggestions for Establishing a Network Group • A network that is already a part of a group cannot be added to any other group. • It is suggested that you start a group name with a G- or Group-.
Chapter 6 – RouteFinder Software Networks & Service > Service Groups Networks & Services > Service Groups On this screen you can combine multiple Services (see Services section) into groups, called Service Groups. Service Groups are treated like single services. Rules and Suggestions for Establishing Service Groups • A service that is already a part of a group cannot be added to any other group. • A service can also be deleted from a group. • Every change made to Service Groups is effective immediately.
Chapter 6 – RouteFinder Software Proxy Proxy While the packet filter filters the data traffic on a network level, the use of a Proxy (also called an Application Gateway) increases the security of the RouteFinder on the application level, as there is no direct connection between client and server. Every proxy can offer further security for its application protocols.
Chapter 6 – RouteFinder Software Proxy > HTTP Proxy Proxy > HTTP Proxy The HTTP Proxy is capable of transferring www requests. HTTP use can be viewed in the Statistics & Logs menu. HTTP Proxy Section Status To enable HTTP, check the Status box and click Save. Transparent To enable Transparent mode, place a check mark in the Transparent box and click the Save button. This mode matches for HTTP requests only via port 80 from the internal network and forwards them to the proxy.
Chapter 6 – RouteFinder Software Proxy > HTTP Proxy > URL Categorization URL Categorization Section of the Main Proxy HTTP Screen 1. 2. Enable URL Categorization by checking the URL Filter box on the main Proxy HTTP screen. The URL Categorization section expands as shown here (a cutout section of the main screen with the URL Categorization section expanded is shown here). Click the URL Categories (allowed/filtered) Edit button. The URL Categories screens displays.
Chapter 6 – RouteFinder Software Proxy > HTTP Proxy > User Authentication User Authentication Section of the Main Proxy HTTP Screen To enable User Authentication, check the User Authentication box and click Save (a cutout section of the main screen with the User Authentication section expanded is shown here). Note: If User Authentication is disabled, then the HTTP Proxy can be configured to function in transparent mode. Authentication Types 1.
Chapter 6 – RouteFinder Software Proxy > HTTP Proxy > Custom Filters Proxy > HTTP Proxy > Custom Filters The URL Categories in the HTTP Proxy page allows URLs to be filtered or forwarded by the firewall. On this screen, you can configure Custom Filters. Custom filters will take preference over URL categories. You can use custom filters to build groups of filters or lists that can be filtered by networks.
Chapter 6 – RouteFinder Software Proxy > HTTP Proxy > Custom Filters Access Rules The Access Rules function enables you to define custom rules. With these custom rules, networks or network groups can be allowed or denied access to certain URLs. URLs can be added or deleted from this list. Click the Edit button to open a screen for entering URLs into the list. A text box and a list box for the URL will be shown. The list box will contain the list of URLs that are already part of this list.
Chapter 6 – RouteFinder Software Proxy > SMTP Proxy Proxy > SMTP Proxy On this screen (the full screen displays once the Status box is checked), you can configure the SMTP proxy and the Virus Protection function. The SMTP proxy acts as an email relay. It accepts email for your Internet domains and passes them on to your internal email distribution system. This can be accomplished via a Microsoft Exchange Server, for example. Emails are transparently scanned for known viruses and other harmful content.
Chapter 6 – RouteFinder Software Proxy > SMTP Proxy When Status is checked, the screen expands to display the following fields: Accepted Incoming Domains All the domains for which the SMTP Proxy can accept emails must be listed here. The domain for which emails are accepted must be registered with the DNS server. Thus, the SMTP Proxy accepts only emails which are addressed to the domains listed here. Domains will be listed in the drop-down box from which they can be deleted, if desired.
Chapter 6 – RouteFinder Software Proxy > SMTP Proxy SMTP Proxy Example An entry Company.com covers all further sub-domains; for example, subsidiary1.Company.com and subsidiary2.Company.com. The RouteFinder must be the MX (Mail Exchanger) for Company.com. Incoming emails to non-registered domains are rejected (except for senders listed in Mail relay for below). Confirm every registered domain by clicking the Add button.
Chapter 6 – RouteFinder Software Proxy > SMTP Proxy > SMTP SPAM Filtering Proxy > SMTP Proxy > SMTP SPAM Filtering On this screen the SPAM filtering parameters can be set so that all incoming and outgoing emails sent to the internal mail server(s) will go through the SPAM filtering process. RBL (Real Time Black List) Check Real Time Black List (RBL) – Check this box to block emails from the IP addresses listed in RBL sites.
Chapter 6 – RouteFinder Software Proxy > SMTP Proxy > SMTP SPAM Filtering Recipient Black List Enter a recipient’s email address to be blocked. Then, if the recipient’s email address matches any entry in the list, the email will not be forwarded. If all email from a domain is to be blocked, add this @ symbol before the domain name: testuser@routefinder.yourdomain.com If you want to block all email from the domain routefinder. yourdomain.com, then add it as @routefinder.yourdomain.
Chapter 6 – RouteFinder Software Proxy > SMTP Proxy > SMTP SPAM Filtering Message Filtering. If you check this option, then the email message or body will be searched for the extensions and expressions added here. If there is a match, the email will be quarantined so that the administrator can decide whether to forward or delete the email. Note About Extensions: Examples of extensions are bmp, exe, gif. Also, double extensions such as tar.gz cannot be used.
Chapter 6 – RouteFinder Software Proxy > POP3 Proxy Proxy > POP3 Proxy In order to use this function, you must have a valid Antivirus Scanner license key installed. To install one, go to the Administration > License > Virus Scanner page. Use this screen to configure POP3 virus filtering-related settings. All outgoing email will go through this POP3 virus filtering process. Note About This Screen: Initially, only the POP3 Virus Protection prompt and the Remote POP3 Virus Quarantine Status prompts display.
Chapter 6 – RouteFinder Software Proxy > POP3 Proxy > POP3 SPAM Filtering Proxy > POP3 Proxy > POP3 SPAM Filtering The administrator can configure POP3 SPAM filtering and related settings on this screen. All outgoing email retrieved from the internal mail server(s) will go through this POP3 virus filtering. POP3 SPAM Protection POP3 SPAM Protection Check the box to enable POP3 SPAM Protection.
Chapter 6 – RouteFinder Software Proxy > POP3 Proxy > POP3 SPAM Filtering Recipient White List Enter the recipient email IDs that will not be checked for SPAM. For example, if all the emails from the specific domain cde.com are not to be checked for SPAM, then the entry should be @cde.com. Once you enter the ID and click the Add button, the ID displays in a list below the entry field. You may enter more than one email ID, and each ID can be deleted.
Chapter 6 – RouteFinder Software Proxy > SOCKS Proxy Proxy > SOCKS Proxy SOCKS is a universal proxy supported by many client applications. SOCKS5 is an IETF (Internet Engineering Task Force) approved standard, proxy protocol for TCP/IP-based networking applications. The basic purpose of the protocol is to enable hosts on one side of a SOCKS server to gain access to hosts on the other side of a SOCKS Server without requiring direct IP access.
Chapter 6 – RouteFinder Software Proxy > SOCKS Proxy Allowed Users and Available Users Enter a straightforward name that will identify a user group in the Allowed Users text box. Click the Add button. The name will display in the Available Users box. Once the name has been accepted, you can delete it at any time. Add Users A list of all users who are allowed to access the SOCKS Proxy can also be configured by selecting the users from the right selection box and clicking the Add button.
Chapter 6 – RouteFinder Software Proxy > DNS Proxy Proxy > DNS Proxy DNS Proxy is a module used to redirect DNS requests to name servers. This module supports a caching-only name server which will store the DNS entries for a specified item. So, when there is a query next time, the values will be taken from the cache and the response will be sent from the module itself. This will shorten the waiting time significantly, especially if it is a slow connection.
Chapter 6 – RouteFinder Software Network Setup > Interfaces Network Setup The Network Setup menus consist of Interface, PPP, PPPoE, DHCP Client, Dynamic DNS, Routes, Masquerading, SNAT, and DNAT screens. With the help of DNAT and SNAT, the destination and source address of the IP packets are converted. With Masquerading you can hide private networks from the outside world behind one official IP address.
Chapter 6 – RouteFinder Software Network Setup > Interface Network Setup > Interface Local Host Default Gateway and Host Name The Default Gateway and the Host Name must be defined for your RouteFinder. The Default Gateway was already set during initial installation. Click the Save button after entering the Host Name. Notes: • If the gateway address and DNS addresses are assigned by a PPPoE server or a DHCP server or through a backup link, the value cannot be changed.
Chapter 6 – RouteFinder Software Network Setup > Interface Network Cards About Network Card 1 (LAN eth0) Network Card 1 is the interface to the internal network (LAN). The information was entered during initial installation. This can be changed. About Network Card 2 (WAN eth1) Network Card 2 is the interface to the external network (Internet). This network card (eth1) About Network Card 3 (DMZ eth2) This network card (eth2) is the interface to the optional DMZ network.
Chapter 6 – RouteFinder Software Network Setup > PPP Network Setup > PPP The PPP link is used as a backup link to the WAN interface. If the PPPoE or static link goes down, the backup link will automatically come up and the system will be again connected to the ISP. On this screen you can set up PPP dial up backup for your WAN interface. PPP Settings Enable PPP Dial Backup for WAN – To enable PPP Dial Backup for WAN, check the corresponding checkbox.
Chapter 6 – RouteFinder Software Network Setup > PPPoE Network Setup > PPPoE PPPoE (Point-to-Point Protocol over Ethernet) is a specification for connecting multiple computer users on an Ethernet local area network to a remote site through DSL or cable modems or similar devices. PPPoE can be used to have an office or building-full of users share a common Digital Subscriber Line (DSL), cable modem, or wireless connection to the internet.
Chapter 6 – RouteFinder Software Network Setup > DHCP Client Network Setup > DHCP Client On this screen you can enable DHCP Client (Dynamic Host Configuration Protocol), which is a TCP/IP protocol that enables PCs and workstations to get temporary or permanent IP addresses out of a pool from centrally-administered servers. This screen will provide user messages such as the one shown is red. Later, it will display the Current DHCP Client Status.
Chapter 6 – RouteFinder Software Network Setup > Dynamic DNS Network Setup > Dynamic DNS Dynamic DNS allows a user to connect his PC to the Internet with a dynamic IP address, so that he will be able to use applications that require a static IP address. Dynamic DNS Settings Dynamic DNS Client Check the box to enable Dynamic DNS Client for this machine. User Name Enter the name or the email ID you have specified while registering with the Dynamic DNS server.
Chapter 6 – RouteFinder Software Network Setup > Routes Network Setup > Routes Routing information is used by every computer connected to a network to identify whether it is sending a data packet directly to the Firewall or passing it on to another network. There are two types of routes used by the firewall, interface routes that describe routing entries for directly connected networks and static routes that describe routes which are to be routed using a secondary router.
Chapter 6 – RouteFinder Software Network Setup > Masquerading Network Setup > Masquerading Masquerading is a process which allows a whole network to hide behind one or several addresses preventing the identification of your network topology from the outside. Masquerading enables the user to enter only one source network. All services are automatically included in the transition. The translation takes place only if the packet is sent via the indicated network interface.
Chapter 6 – RouteFinder Software Network Setup > SNAT Network Setup > SNAT The SNAT (Source Network Address Translation) process allows attaching private networks to public networks. SNAT is used when you want to have a LAN using a private IP network to be connected to the internet via a firewall. Since the private IP addresses are not routed on the internet, you have to apply SNAT on the firewall’s external interface. The firewall’s internal interface serves as the default gateway for the LAN.
Chapter 6 – RouteFinder Software Network Setup > DNAT Network Setup > DNAT On this screen you can set up DNAT re-routing. DNAT (Destination Network Address Translation) describes the target addresses of the IP packets. Use DNAT if you want to operate a private network behind your RouteFinder firewall and provide network services that run only behind this private network available to the Internet.
Chapter 6 – RouteFinder Software DHCP Server > Subnet Settings DHCP Server > Fixed Addresses DHCP Server DHCP Server > Subnet Settings DHCP (Dynamic Host Configuration Protocol) is a protocol which allows individual devices on an IP network to get their own network configuration information (IP address, subnetmask, broadcast address, etc.) from a DHCP server. The overall purpose of the DHCP is to make it easier to administer a large network. The DHCP package includes the DHCP server and a DHCP relay agent.
Chapter 6 – RouteFinder Software Tracking > Accounting Tracking Tracking > Accounting The Accounting function records all the IP packets on the external network cards and sums up their size. The traffic sum for each day is calculated once a day. Additionally, the traffic sum for the current month is calculated and displayed. This is the amount that your ISP (Internet Service Provider) will charge to you if your payment plan is based on the amount of data you transfer.
Chapter 6 – RouteFinder Software Tracking > Update Services Tracking > Update Services On this screen you can define RouteFinder update parameters. If you use the Update Service, your RouteFinder can be continually updated with new virus protection patterns, system patches, security features, and new features. The Updates are signed and encrypted and read in via an encrypted connection.
Chapter 6 – RouteFinder Software Tracking > Update Services Update Services Update System, Update Virus Patterns, Update URL Categories Database This section of the screen allows you to start the update processes of these services. Click the Start button to start the Update System, Update Virus Patterns, and/or Update URL Categories Database processes. Note that the Current Version and Updates displays automatically.
Chapter 6 – RouteFinder Software Tracking > Backup Tracking > Backup The Backup function lets you save the RouteFinder settings on a local hard disk. With a backup file, you can set a recently installed RouteFinder to the identical configuration level as an existing RouteFinder. This is useful in case there is a problem with your new settings. Also, a new RouteFinder can be installed and the backup read in minutes. This means a replacement system can be running in a very short time.
Chapter 6 – RouteFinder Software Tracking > Backup Import Backup from Remote Client When a backup is taken, the backup file is sent to the administrator through email. This function is used for restoring the configuration files from a remote client. After clicking the Import button, a list of all the backup files maintained on the remote client’s PC display. Select the file you want to import and click the Get Comments button to read the comments for this file to verify that this is the file you want.
Chapter 6 – RouteFinder Software Tracking > Version Control Tracking > Version Control These settings are the configuration management system settings. All configuration files can be saved in a repository in a CVS server. There are fields for setting the IP address of CVS server, user name, password, and the repository path. The corresponding user account and the directory structure should be created on the CVS server. CVS Settings User Name Enter the name of the user for whom the account will be created.
Chapter 6 – RouteFinder Software Packet Filters > Packet Filter Rules Packet Filters Packet Filters > Packet Filter Rules The Packet Filter is a key element of the RouteFinder. Packet filters are used to set firewall rules which define what type of data traffic is allowed across the RouteFinder's firewall. There are certain System Defined Rules that exist by default. You can specify whether particular packets are to be forwarded through the RouteFinder system or filtered.
Chapter 6 – RouteFinder Software Packet Filters > Packet Filter Rules System Defined Rules These rules define a set of common application services that are allowed outbound access through the RouteFinder's WAN interface. The software defines a default Service Group called default_outbound. The services under default_outbound are FTP, TELNET, DNS, HTTP, POP3, IMAP, and HTTPS. Add User Defined Packet Filter Rules New packet filter rules are created by choosing from four drop-down lists.
Chapter 6 – RouteFinder Software Packet Filters > ICMP Packet Filters > ICMP ICMP (Internet Control Message Protocol) is necessary to test network connections and to test functionality of your firewall. It is also used for diagnostic purposes. ICMP-forwarding and ICMP-on-firewall always apply to all IP addresses (“Any”). When these are enabled, all IPs can ping the firewall (ICMP-on-firewall) or the network behind it (ICMP-forwarding).
Chapter 6 – RouteFinder Software Packet Filters > Advanced Packet Filters > Advanced On this screen you can configure the advanced packet filter settings. H.323 Packets Passthrough Check this box to enable the forwarding of H.323 packets across the firewall. Click Save. PPTP Packets Passthrough Check this box to enable the forwarding of PPTP packet passthrough (PPTP NAT support). Click Save. This includes two features: 1. Server behind the firewall and client on the Internet. DNAT of PPTP packets. 2.
Chapter 6 – RouteFinder Software Packet Filters > Enable/Disable Log Packet Filters > Enable/Disable Log On this screen you can enable/disable RouteFinder firewall logging. Enable/Disable Logging Permitted Inbound Access Logs Check this box to enable the logging of all permitted inbound access requests from public (WAN) network clients that use a service hosted on the RouteFinder itself or on a private (LAN) or service (DMZ) server/host.
Chapter 6 – RouteFinder Software VPN > IPSec VPN (Virtual Private Networks) VPN > IPSec Introduction to Virtual Private Networks A Virtual Private Network (VPN) is a secure communication connection via an insecure medium – usually the Internet. A VPN is useful in situations where information is sent and received via the Internet and it is important that no third party can read or change that information. Such a connection is secured via VPN software that is installed at both ends of the connection.
Chapter 6 – RouteFinder Software VPN > IPSec > Add IKE Connection Add an IKE Connection The IKE protocol automatically negotiates protocols and encryption algorithms; it keys automatic exchange of keys. Add IKE Connection Connection Name Enter a text name that will identify the connection for you. Compression Check the compression checkbox to enable IPCOMP, the compression algorithm.
Chapter 6 – RouteFinder Software VPN > IPSec > IKE Local WAN IP This is the interface initiating the IPSec tunnel. Local LAN Local security gateway for which the security services should be provided. If the RouteFinder acts as a host, this should be configured as None. Remote Gateway IP or FQDN Interface where the IPSec tunnel ends. In the case of a Road Warrior with a Dynamic IP address, this should be configured to ANY.
Chapter 6 – RouteFinder Software VPN > IPSec > Manual Add a Manual Connection Add Manual Connection Connection Name Enter a text name that will identify the connection for you. Compression Check the compression checkbox to enable IPCOMP, the compression algorithm. Authentication Method Decides the encryption and authentication algorithms to be used for the respective security services. Options are: Authentication only: 1. AH using MD5 –128 bit key 2. AH using SHA1 – 160 bit key Encryption only: 1.
Chapter 6 – RouteFinder Software VPN > IPSec > Manual Local LAN This is the local security gateway for which the security services are to be provided. If the RouteFinder acts as a host, this should be configured as None. Remote Gateway IP This is the interface in which the IPSec tunnel ends. In the case of a Road Warrior with a Dynamic IP address, this should be configured as ANY. Remote LAN This is the remote security gateway for which the security services are to be provided.
Chapter 6 – RouteFinder Software VPN > X.509 Certificates VPN > IPSec Bridging VPN > x.509 Certificates X.509 is an International Telecommunication ITU-T and ISO certificate format standard. The last release of this standard was X.509 Version 3 in the year 1996. An X.509 certificate is a confirmation of identity by binding an entity's unique name to its public key through the use of a digital signature. It also contains the unique name of the certificate user.
Chapter 6 – RouteFinder Software VPN > PPTP VPN > PPTP PPTP is a tunneling protocol meant for tunneling IP/non-IP packets through the IP only network (the Internet). The configuration of the VPN PPTP lets you grant single specified hosts access to your network via an encrypted tunnel. PPTP is considerably easier to set up than IPSec because, if Microsoft Windows is being used, it does not require additional software on the client computer as IPSec does.
Chapter 6 – RouteFinder Software VPN > PPTP PPTP Settings Status Check the Status checkbox to enable this PPTP function. Encryption Strength Select the encryption strength, either strong (128 Bit, the default, or weak (40 Bit) encryption. This field defines the encryption strength (40 bit or 128 bit) for the remote access connection. Notes: Windows 98 and ME support strong encryption. Windows 2000 contains only 40-bit encryption strength.
Chapter 6 – RouteFinder Software Wizard Setup Wizard Setup Using the Wizard Setup screen is a quick way to configure your RouteFinder. The screen contains the basic configuration input fields for setting up the RouteFinder as a firewall. If you desire to configure your RouteFinder to meet your company’s specific needs beyond what is cover in the Wizard, use the Web Management software. When you select Wizard Setup from the menu, a Java Security dialog box may or may not display.
Chapter 6 – RouteFinder Software Wizard Setup Packet Filter Rule If this setting is enabled by checking the checkbox, all packets coming from the LAN will be forwarded by the firewall. If disabled, none of the packets will go through. Modem Settings Use this checkbox to enable/disable the modem PPP dial backup feature. If enabled, enter the User Name, Password, Serial Port, Baud Rate, Dial Number, and Initialization Strings for the backup port.
Chapter 6 – RouteFinder Software Statistics & Logs Statistics & Logs Various log files maintained by the RouteFinder can be viewed and/or downloaded to the browser. This function provides current system information, status, and usage information. The information is valuable for troubleshooting and for monitoring the RouteFinder‘s operational status and overall performance.
Chapter 6 – RouteFinder Software Statistics & Logs > Uptime Statistics & Logs > Hardware Statistics & Logs > Uptime Uptime tells you how long the system has been running. The first line displays the date and time the system was started. The second line displays the total time elapsed since the system was started in days, hours, minutes, and seconds. Statistics and Logs > Hardware This screen displays a graphical presentation of the CPU, RAM, and SWAP utilization by days, weeks, months, and years.
Chapter 6 – RouteFinder Software Statistics & Logs > Networks Statistics and Logs > Networks This menu displays an analysis of the RouteFinder network interface details, routing, and network connections. Network Interface Cards Click the Interface Details button to display the Interface details about all the interfaces (Ethernet, IPSec, PPP, and local interfaces). Routing Table Click Routing Table to display the Kernel IP routing table of all entered routes.
Chapter 6 – RouteFinder Software Statistics & Logs > Networks Network Connections Click the Network Connections button to display the status of all current (active) network connections to or from your RouteFinder. Information on the active protocol, receive queue, send queue, local address, foreign address, and current state is shown for each of the RouteFinder‘s active Internet connections.
Chapter 6 – RouteFinder Software Statistics & Logs > Interfaces Statistics & Logs > Interfaces The information displayed under each option shows the network traffic on each interface (LAN, WAN, DMZ) delineated by days, weeks, months, and years. Interfaces must be added on the Tracking > Accounting screen. Network Traffic Overview - LAN - WAN - DMZ Click the LAN Traffic button for a graphical overview of network traffic on the LAN interface.
Chapter 6 – RouteFinder Software Statistics & Logs > SMTP Proxy Statistics & Logs > SMTP Proxy The SMTP Proxy screen displays the RouteFinder‘s SMTP proxy (email) usage and status in two windows called SMTPLogs and SMTP-Status. It shows a real-time log of the email traffic via the SMTP proxy. The real-time log function is started by clicking the open SMTP Log button. SMPT Log Click the SMPT Log button to display real-time statistics of the SMTP proxy activities.
Chapter 6 – RouteFinder Software Statistics & Logs > Accounting Statistics & Logs > Accounting This report gives the details of the amount of data transferred in bytes through the system on every interface (LAN, WAN, DMZ). The Accounting function records all the IP packets on the external network cards and sums up their sizes. Each day’s total is calculated once a day. Additionally, the number of bytes of data is calculated for each month.
Chapter 6 – RouteFinder Software Statistics & Logs > Self Monitor Statistics & Logs > Self Monitor The Self Monitoring function ensures the integrity of the RouteFinder system and informs the administrator of important events by email. Self Monitoring controls the function, performance, and security of the system parameters and takes regulating measures when it detects divergences that go beyond a certain tolerance. The system administrator then receives a report via email.
Chapter 6 – RouteFinder Software Statistics & Logs > IPSec Statistics & Logs > PPTP Statistics & Logs > IPSec IPSec Live Log Click the IPSec Live Log button to display information about initialization, encryption/decryption messages, route manipulation, IPSec/IKE interaction, and IKE processing messages. IPSec Live Connections Click the IPSec Live Connections button to display realtime VPN statistics about active VPN routes and connections.
Chapter 6 – RouteFinder Software Statistics & Logs > Packet Filter Statistics & Logs > Packet Filter This report shows the RouteFinder firewall logs for various types of packets. The type and number of packets to be displayed can be configured. You can also select the refresh rate of the log display. In the Packet Filter > Packet Filter Rules page, if there is any user-defined filter with Action as LOG, the packets matching the corresponding source address and service will be logged.
Chapter 6 – RouteFinder Software Statistics & Logs > Port Scan Logs Statistics & Logs > View Logs Statistics & Logs > Port Scans The Port Scans screen displays the information gathered by the Network Intrusion Detection module, which guarantees the integrity of the system by watching and logging stealth port scans and suspicious packets. The system administrator will receive emails every hour if such packets are received.
Chapter 6 – RouteFinder Software Statistics & Logs > HTTP Access Statistics & Logs > HTTP Access HTTP Access reports provide a clear picture of “where” your users are going to on the Internet. Generate HTTP Access Reports This screen displays when the Generate HTTP Access Reports button is clicked (see screen above). 1. 2. Click the Generate button to generate the current day’s HTTP Access report.
Chapter 6 – RouteFinder Software Statistics & Logs > DHCP Statistics & Logs > DHCP This live Log gives information about the DHCP leases that have been provided so far. Example of a DHCP Log Multi-Tech Systems, Inc.
Chapter 6 – RouteFinder Software Statistics & Logs > SMTP & POP3 Virus Quarantines Statistics & Logs > SMTP SPAM Quarantines Statistics & Logs > Administrative Authentication Log Statistics & Logs > SMTP & POP3 Virus Quarantines If the Virus Scanner is enabled, and if the SMTP proxy captures any virus infected emails, the emails will be saved in the virus quarantine area.
Chapter 7 – User Authentication Methods Chapter 7 – User Authentication Methods While you can restrict access of your internal clients to proxy services at the IP level by using packet filter rules, you will run into problems when you use a dynamic IP configuration protocol like DHCP or BOOTP internally. That‘s where Proxy User Authentication steps in.
Chapter 7 – User Authentication Methods Authentication Setup Choose one of the following setup methods. Setting Up RADIUS Authentication To set up RADIUS Authentication, first you need a RADIUS server on your network. The server can be anywhere on the Internet, but keep in mind that passwords are transferred in clear text. Therefore, we strongly recommend putting the RADIUS server somewhere near your RouteFinder and to use a switched Network hub to connect them. Choosing the RADIUS server is up to you.
Chapter 7 – User Authentication Methods Setting Up NT/2000 SAM (SMB) Authentication To setup Windows NT/2000 SAM Authentication, you will need an NT/2000 machine on your network that holds the user accounts. This can be a domain controller (PDC) or a simple standalone server. The server has a NETBIOS name (the NT/2000 server name) and an IP address. Put these values in the configuration of the NT SAM method in User Authentication > RADIUS & SAM as PDC Name and PDC address.
Chapter 8 – Frequently Asked Questions (FAQs) Chapter 8 – Frequently Asked Questions (FAQs) Q1. A1. In general, what does the RouteFinder do? The RouteFinder VPN Gateway/Firewall Router lets you use data encryption and the Internet to securely connect to your telecommuters, remote offices, customers, or suppliers while avoiding the cost of expensive private leased lines. The browser-based interface eases VPN configuration and management.
Chapter 8 – Frequently Asked Questions (FAQs) Q11. Is it possible to define a static NAT from the outside to the inside, (e.g., Map external IP a.b.c.d to internal IP w.x.y.z) in both directions? A11. Yes, it is possible to do static NAT, but with limitations: You can map: You cannot map: IP => IP IP/Port => IP/Port IP-Range => IP IP/Port-Range => IP/Port IP => IP-Range (load balancing) IP-Range/Port => IP/Port IP-Range/Port-Range => IP/Port The way back is done automatically.
Chapter 8 – Frequently Asked Questions (FAQs) Q13. Can I forward SSH connections? A13. Yes, by configuring port forwarding of SSH (dest. port 22): Source: External Interface Port 22 goes to Destination: SSH_Server Port 22 Procedure: 1. Define two Hosts in Networks & Services: external_NIC a.b.c.d 255.255.255.255 SSH_Server e.f.g.h 255.255.255.255 2. Define one Service in Networks & Services: NAT_SSH TCP 0:65534 22 3. Add one NAT-Rule in Network Setup > DNAT: external_NIC NAT_SSH -> SSH_Server NAT_SSH. 4.
Chapter 8 – Frequently Asked Questions (FAQs) Q19. Why is the export of cryptography controlled? A19. Cryptography is export-controlled for several reasons. Strong cryptography can be used for criminal purposes or even as a weapon of war. In wartime, the ability to intercept and decipher enemy communications is crucial. Therefore, cryptographic technologies are subject to export controls. U.S.
Chapter 8 – Frequently Asked Questions (FAQs) This rule allows the FTP server to make outgoing connections to clients, thus enabling the PORT command. Any PASV_Range FTP_Server Allow This rule allows connections from clients to the passive port range of the FTP server (needed to make passive mode work). Add the DNAT rules.
Chapter 8 – Frequently Asked Questions (FAQs) Q33. What is a single-homed and multi-homed firewall? A33. A multi-homed firewall has multiple network interfaces and does not forward packets. Single-homed firewalls have one network interface card. You would use a single-homed firewall with a choke router that filters packets not originating from the SOCKS server. Q34. Is there an RFC for SOCKS? A34. There is no official RFC for Version 4 of the protocol.
Chapter 9 – Troubleshooting Chapter 9 – Troubleshooting 1. Review the RouteFinder FAQs in the previous section. 2. Verify that the pre-installation requirements are met. Refer to Chapter 2 of this manual. 3. Verify that the Administrations PC requirements are met (correct Default Gateway configuration, using an HTTPScompatible Browser, JavaScript and Cascading Style active, and Proxies deactivated in the browser). 4.
Chapter 9 – Troubleshooting 11. Attach a monitor and keyboard to the RouteFinder for monitoring and debugging (refer to Chapter 5 of this manual for keyboard and monitor connection information). 12.
Appendix A – Disposition of Events Appendix A – Disposition of Events for the RouteFinder v3.2x For ICSA Certification Based on The Modular Firewall Certification Criteria Baseline module - version 4.0 Revision History Date 16-Aug-2004 Revision R1 Remarks/Changes Baseline document Table of Contents 1. Abstract .......................................................................................................................................................... 142 II. Inbound Access Log ..............
Appendix A – Disposition of Events 1. Abstract Disposition of Events The LVPN RouteFinder 3.2x provides logging capabilities for various types of Access requests to the product. The logging is classified as follows: • Inbound Access Requests (LO1.A) • Outbound Access Requests (LO1.B) • Access Requests to Firewall Violating Security Policy (LO1.C) • Access Requests Through Firewall Violating Security Policy (LO1.D) • Administrative Authentication Log (LO1.E) • Admin Port Access Requests (LO1.
Appendix A – Disposition of Events Admin Port Access Requests All requests to the Administrative port (HTTPS/HTTP to the box using the WEB GUI) are logged as Admin Port Traffic. Access requests logged as Admin Port Access requests correspond to LO1.F of Baseline module - version 4.0, ICSA Labs. Figure 11 shows a snapshot of Admin Port Access log. Startup History The system startup Timestamp is logged as Startup History. Startup History corresponds to LO1.G of Baseline module version 4.0, ICSA Labs.
Appendix A – Disposition of Events Inbound Access (DNAT with Connection Tracking) Figure 3 – Inbound Access (DNAT with Connection Tracking) Description of Figure 3 The Access request originated from the source (204.26.122.9) to the destination (204.54.39.103), which is further DNATTED to the ip-address 192.168.1.76 on port 20:21. The above figure illustrates a capture of the FTP service.
Appendix A – Disposition of Events III. Outbound Access Log Figure 4 – Outbound Access Figure 5 – Snapshot of Outbound Access Log Figure 6 – Snapshot of Outbound Access Log (with Connection Tracking) Multi-Tech Systems, Inc.
Appendix A – Disposition of Events Description of Figure 6 The FTP Access request originated from the source (192.168.1.212 [SlNO 2]) to the destination (195.220.108.108). The above figure illustrates a capture of FTP service. • Slno 2, in the above snapshot, corresponds to the control connection (Remarks in the second half of the snapshot is a continuation of the capture). Remarks: “Outbound” Src: 192.168.1.212, Dst: 195.220.108.108 on Port: 21.
Appendix A – Disposition of Events VI. Administrative Authentication Logs Figure 10 – Snapshot of Administrative Authentication Log VII. Admin Port Access Log Figure 11 – Snapshot of Admin Port Access Log VIII. Startup History Log Figure 12 – Snapshot of Startup History IX. User Log Figure 13 – Snapshot of User Log X. Fragmented Dropped Log Figure 14 – Snapshot of Fragmented Dropped Log Multi-Tech Systems, Inc.
Appendix A – Disposition of Events XI. ICMP Information Figure 15 – Snapshot of Log with ICMP Information Multi-Tech Systems, Inc.
Appendix B – The RouteFinder Rescue Kernel Appendix B – The RouteFinder Rescue Kernel What Is a Rescue Kernel? Rescue Kernel is a software program that allows you to reinstall the RouteFinder software without connecting the CD-ROM drive and using the RouteFinder software CD. The Rescue Kernel can be installed on any of the RF6xx and RF7xx hardware, and it can be installed under version of the RouteFinder software.
Appendix B – The RouteFinder Rescue Kernel Links You Will Need During the Install Process Link to Download Windows FTP Server: http://support.jgaa.com Link to Download Windows WinSCP Client: http://winscp.sourceforge.net/eng/ Link to Download Putty Telnet/SSH Client: http://www.chiark.greeend.org.uk/ Three Methods for Performing the Software Reinstallation Using Rescue Kernel Method 1 – This method uses no external server. Method 2 – This method uses an external FTP server.
Appendix B – The RouteFinder Rescue Kernel 9. Connect a monitor to the RouteFinder and monitor to make sure the install process does not show any problems. If there are problems during the install, you will need to use Method 3 to recover. If you do not have a monitor, you can listen for the following beep patterns: • The first three beeps. These beeps signal that the system is restarting in order to run Rescue Kernel. • The second five beeps. These beeps signal that the installation is done.
Appendix B – The RouteFinder Rescue Kernel 7. Type in lilo -R RFNetInstall. 8. Type in reboot. 9. Connect a monitor to the RouteFinder and monitor to make sure the install process does not show any problems. If there are problems during the install, you will need to use Method 3 to recover. If you do not have a monitor, you can listen for the follow beep patterns: • The first three beeps. These beeps signal that the system is restarting in order to run the Rescue Kernel. • The second five beeps.
Appendix C – Board Components, Hardware Upgrades & Add-ons, Software Add-ons, Overnight Replacement Appendix C – Board Components, Hardware Upgrades & Add-ons, Software Add-ons, Overnight Replacement Board Components The RouteFinder board components are illustrated and discussed below. Note: Several of the RouteFinder board components are user-configurable; however, please contact Tech Support before changing the component settings. Notes: • • • The board in the example shown below is for the RF660VPN.
Appendix C – Board Components, Hardware Upgrades & Add-ons, Software Add-ons, Overnight Replacement 850 Mhz INTEL Celeron Processor: the microprocessor that provides processing power to the unit. The processor can be upgraded in the field for additional processing power. On RF760VPN: 2GHZ Pentium 4 256MB PC133 Non-ECC DIMM: the memory component for the unit. The DIMM memory module can be upgraded in the field for higher performance. Early RouteFinders had a 128MB PC100 Non-ECC DIMM.
Appendix C – Board Components, Hardware Upgrades & Add-ons, Software Add-ons, Overnight Replacement Memory Upgrade The standard 128-Mb memory module can be upgraded in the field to 256 MB. 1. Remove the RouteFinder top cover using the procedure earlier in this chapter. 2. Pull back on the beige plastic DIMM retaining tabs on both sides of the DIMM holder at M1. 3. Carefully remove the existing DIMM card. 4. Insert the upgrade DIMM card following the manufacturer's documentation.
Appendix C – Board Components, Hardware Upgrades & Add-ons, Software Add-ons, Overnight Replacement Software Add-ons Listed below are the software add-ons available for the RouteFinder: SSH Sentinel IPSec VPN Client Software The SSH Sentinel IPSec VPN Client software is available in 1-, 5-, 10- and 50-user packages. The RouteFinder provides SSH Sentinel client software (30-day trial Internet Pilot version with Static IP support).
Appendix D – CD-ROM Drive Adapter and Pin Out Appendix D – CD-ROM Drive Adapter and Pin Out CD-ROM Drive Adapter Dimensions Pin 1 Note: Pin 1 of the converter must match with the red line of the ribbon cable. The adapter is polarity sensitive. It will not work if the adapter is inverted CD-ROM Drive Adapter Pin Out The 44 pin (m)-to-40 pin (f) adapter pin-out is shown below. P1 is the 44-pin male header; P2 is the 40-pin female box header.
Appendix E – RouteFinder Maintenance Appendix E – RouteFinder Maintenance This section covers issues related to routinely maintaining the RouteFinder, including: • Housekeeping • Monitoring • Updating Housekeeping Housekeeping includes the on-going list of tasks that you need to perform to keep your environment safe and clean. The three main housekeeping tasks that you'll need to revisit periodically are: • System backups – This includes regular backups of RouteFinder configurations and reporting logs.
Appendix E – RouteFinder Maintenance Updating This involves keeping both yourself and your RouteFinder abreast of new bugs, new attacks and new patches, new tools and resources, etc. Much of the RouteFinder updating effort can be done automatically (refer to the Tracking > Update Service section in Chapter 3). Administrators can keep themselves current with mailing lists, news groups, security forums, etc.
Appendix F – Ordering Accessories Appendix F – Ordering Accessories SupplyNet, Inc. supplies replacement transformers, cables, and connectors for select Multi-Tech products. You can place an order with SupplyNet via mail, phone, fax, or the Internet at: Mail: SupplyNet, Inc. 614 Corporate Way Valley Cottage, NY 10989 Phone: 800 826-0279 Fax: 914 267-2420 Email: info@thesupplynet.com Internet: http://www.thesupplynet.com SupplyNet Online Ordering Instructions 1. 2. 3. 4. Browse to http://www.thesupplynet.
Appendix G - Technical Support Appendix G – Technical Support Technical Support Contacts Country France: India: U.K.: U.S. and Canada: Rest of the World: By Email support@multitech.fr support@multitechindia.com support@multitech.co.uk support@multitech.com support@multitech.com By Phone (33) 1-64 61 09 81 91 (124) 6340778 (44) 118 959 7774 (800) 972-2439 (763) 717-5863 Internet Address: http://www.multitech.com FTP Address: ftp://ftp.multitech.com.
Appendix H - Multi-Tech Systems, Inc. Warranty and Repairs Policies Appendix H – Multi-Tech Systems, Inc. Warranty and Repairs Policies Multi-Tech Warranty Statement Multi-Tech Systems, Inc., (hereafter “MTS”) warrants that its products will be free from defects in material or workmanship for a period of two, five, or ten years (depending on model) from date of purchase, or if proof of purchase is not provided, two, five, or ten years (depending on model) from date of shipment.
Appendix H - Multi-Tech Systems, Inc. Warranty and Repairs Policies Please direct your questions regarding technical matters, product configuration, verification that the product is defective, etc., to our Technical Support department nearest you or email support@multitech.com. When calling the U.S., please direct your questions regarding repair expediting, receiving, shipping, billing, etc., to our Repair Accounting department at +(763) 717-5631 in the U.S.A., or email mtsrepair@multitech.com.
Appendix I – Regulatory Compliance Appendix I – Regulatory Compliance EMC, Safety, and R&TTR Directive Compliance The CE mark is affixed to this product to confirm compliance with the following European Community Directives: Council Directive 89/336/EEC of 3 May 1989 on the approximation of the laws of Member States relating to electromagnetic compatibility.
Appendix I – Regulatory Compliance Industry Canada for the Modem Operation This Class A digital apparatus meets all requirements of the Canadian Interference-Causing Equipment Regulations. Cet appareil numerique de la classe A respecte toutes les exigences du Reglement sur le materiel brouilleur du Canada.
Appendix J – License Agreements Appendix J – License Agreements Multi-Tech Systems, Inc. End User License Agreement (EULA) IMPORTANT - READ BEFORE OPENING THE SOFTWARE PACKAGE This is a basic multi-user software license granted by Multi-Tech Systems, Inc., a Minnesota corporation, with its mailing address at 2205 Woodale Drive, Mounds View, MN 55112. This is a legal agreement between you (either an individual or a single entity) and Multi-Tech Systems, Inc.
Appendix J – License Agreements I will not use the Programs for, and will not allow the Programs to be used for, any purposes prohibited by United States law, including, without limitation, for the development, design, manufacture or production of nuclear, chemical, or biological weapons of mass destruction. Licensee agrees that by purchase and/or use of the Software, s/he hereby accepts and agrees to the terms of this License Agreement.
Appendix J – License Agreements GNU GENERAL PUBLIC LICENSE Version 2, June 1991 Copyright (C) 1989, 1991 Free Software Foundation, Inc. 59 Temple Place, Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. Preamble The licenses for most software are designed to take away your freedom to share and change it.
Appendix J – License Agreements c) Accompany it with the information you received as to the offer to distribute corresponding source code. (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accord with Subsection b above.) The source code for a work means the preferred form of the work for making modifications to it.
Appendix J – License Agreements SurfControl URL Filtering End-User Terms The parties agree that as a condition of the rights and licenses granted by SurfControl under the Agreement, each license agreement to end-users for the Bundle (“End-Users”) shall contain, at a minimum, substantially the following terms, allowing reasonable modifications to keep consistent terminology and without materially changing the associated meaning: SURFCONTROL SOFTWARE LICENSE AGREEMENT PLEASE READ THIS CAREFULLY BEFORE YOU IN
Appendix J – License Agreements and/or the Subscription Lists, if any. Licensee may not permit third parties to benefit from the use or functionality of the Software via a service bureau or other arrangement. Licensee may not copy the Software except as expressly permitted in Section 2 above. Licensee agrees that the use of the Software may be restricted by applicable laws and regulations, including without limitation, privacy laws.
Appendix J – License Agreements Licensee acknowledges that the allocation of risk in this License reflects the price paid for the Software and also the fact that it is not within SurfControl’s control how or for what purposes the Software is used. THE SECTIONS ON LIMITATION OF LIABILITY, WARRANTIES AND DISCLAIMER OF WARRANTIES ALLOCATE THE RISKS OF THIS LICENSE BETWEEN THE PARTIES.
Appendix J – License Agreements Kaspersky Standard End User License Agreement. Standard End User License Agreement NOTICE TO ALL USERS: CAREFULLY READ THE FOLLOWING LEGAL AGREEMENT ("AGREEMENT"), FOR THE LICENSE OF SPECIFIED SOFTWARE ("SOFTWARE") PRODUCED BY KASPERSKY LAB. ("KASPERSKY LAB"). IF YOU HAVE PURCHASED THIS SOFTWARE VIA INTERNET BY CLICKING THE ACCEPT BUTTON, YOU (EITHER AN INDIVIDUAL OR A SINGLE ENTITY) CONSENT TO BE BOUND BY AND BECOME A PARTY TO THIS AGREEMENT.
Appendix J – License Agreements (iii) By completion of the Support Services Subscription Form you consent to the terms of the Kaspersky Lab Privacy Policy which is attached to this Agreement, and you explicitly consent to the transfer of data to other countries outside your own as set out in the Privacy Policy.
Appendix K – Waste Electrical and Electronic Equipment Directive (WEEE) Appendix K – Waste Electrical and Electronic Equipment Directive (WEEE) Waste Electrical and Electronic Equipment (WEEE) Directive The WEEE directive places an obligation on manufacturers, distributors and retailers to take-back electronic products at the end of their useful life.
Glossary Glossary * (Asterisk character) – The ‘wildcard’ character, used to signify “all within this group or function” (e.g., use * to specify all domain names). A special symbol that stands for one or more characters. Many operating systems and applications support wildcards for identifying files and directories. This lets you select multiple files with a single specification. For example, in DOS and Windows, the asterisk (*) is a wild card that stands for any combination of letters.
Glossary CSS (Cascading Style Sheets) – HTML was intended to mark up only a Web page's structure, but not its on-screen display characteristics. For Web page appearances, the World Wide Web Consortium (W3C) developed a complementary markup system called Cascading Style Sheets (CSS) to make it easier to define a page's appearance without affecting its HTML structure. HTML can be frustrating when trying to control the appearance of a Web page and its contents.
Glossary Destination Port Number ZZZZ – All the traffic going through the firewall is part of a connection. A connection consists of the pair of IP addresses that are talking to each other, as well a pair of port numbers. The destination port number often indicates the type of service being connected to. When a firewall blocks a connection, it will save the destination port number to its logfile. Port numbers are divided into three ranges: • The Well-Known Ports are those from 0 through 1023.
Glossary ESP (Encapsulating Security Payload) – An authentication protocol much like AH. IP ESP may be applied in combination with AH. Security services can be provided between a pair of communicating hosts, between a pair of communicating security gateways, or between a security gateway and a host. ESP may be used to provide the same security services as AH, plus it provides an encryption service.
Glossary HTTPS (aka, S-HTTP) – Secure HyperText Transfer Protocol, a secure way of transferring information over the World Wide Web. HTTPS refers to the entry (e.g., https://192.168.2.100) used for an S-HTTPS connection. S-HTTPS is the IETF RFC that describes syntax for securing messages sent using the Hypertext Transfer Protocol (HTTP), which forms the basis for the World Wide Web.
Glossary LILO (LInux LOader) – LILO is a small program that sits on the master boot record of a hard drive or on the boot sector of a partition. LILO is used to start the loading process of the Linux kernel. (There are other programs that can also do this, such as grub. Most distributions/versions of Linux use LILO.
Glossary Policy – The purpose of an IPSec Security Policy is to define how an organization is going to protect itself. The policy will generally require two parts: a general policy and specific rules (e.g., a system-specific policy). The general policy sets the overall approach to Security. The rules define what is and what is not allowed. The Security Policy describes how data is protected, which traffic is allowed or denied, and who can and cannot use various network resources.
Glossary PuTTY – A simple but excellent SSH and Telnet replacement for Windows 95/98/NT that happens to be free. Installation is simple - you download PuTTY.exe and store it somewhere on your system that's convenient. Qmail – A security-oriented Unix mailer daemon developed by Dan Bernstein. RADIUS – RADIUS stands for Remote Authentication Dial-In User Service. RADIUS is a protocol with which the router can obtain information for the user authentication from a central server.
Glossary Server – A server is a device on the network that provides mostly standardized services (e.g., www, FTP, news, etc.). To be able to use these services, you as a user require the comparable client requirements for the desired service. SHA (Secure Hash Algorithm) – A United States government standard for a strong one-way, hash algorithm that produces a 160-bit digest. See MD5. SHA-1 is defined in FIPS PUB 180-1.
Glossary TLS (Transport Layer Security) – An open security standard that is similar to SSL3. (Note that some web sites may not support the TLS protocol.) Trace Route – A program available on many systems that traces the path a packet takes to a destination. It is mostly used to debug routing problems between hosts. A Trace Route protocol is defined in IETF RFC 1393. Trusted Subnetwork – A subnetwork of hosts and routers that can trust each other not to engage in active or passive attacks.
Index Index 3 3DES Encryption ...........................................................15 3DES Throughput ..........................................................15 A About Firewalls .....................................................................17 Interfaces ...................................................................83 Accessories .................................................................160 Accounting .....................................................................
Index Remote Client-to-LAN setup ......................................36 F Factory Defaults.............................................................54 Features...........................................................................7 Filtering Rules................................................................41 Finding license key numbers .........................................10 Firewall Certification.......................................................16 Firewall Features ..................
Index NT/2000 SAM Authentication Setup ............................132 O Open Web Browser .......................................................24 Operating Environment ..................................................16 Overnight Replacement Service ..................................156 P Packet Filter > ICMP......................................................52 Packet Filter Logs ........................................................125 Packet Filter Rules..........................................
Index Statistics & Logs > Self Monitor ...................................123 Statistics & Logs > SMTP & POP3 Virus Quarantines.129 Statistics & Logs > SMTP Proxy ..................................121 Statistics & Logs > SMTP Spam Quarantines..............129 Statistics & Logs > Uptime ...........................................117 Statistics & Logs > View Logs......................................126 Sub-menus ....................................................................27 Subnet Settings ..........
